TL;DR: In this piece, I will arrive at certain definitive conclusions on the actors’ intent as well as directly attribute parts of the operation to a soft war/propaganda arm of the Iranian government. This is not an attempt at domestic sabotage but a desperate bid to propagate a counter-narrative — as Iran feels suffocated by the Western media’s discourse, portraying it in a uni-dimensional way.

Before you start reading, let me offer a mild advisory: I am sorry to say this, but the playbook of polarisation on which the Iranians are piggybacking is the handiwork of our very own political parties. The vicious, vitriolic and divisive narrative fostered by the right-wing fringe has created an environment that is ripe for exploiting the growing sense of alienation among the minorities of India. Of course, now the centrist and left-leaning parties, too, have jumped on the ‘fake news’ bandwagon. There was even a ridiculous attempt to weaponise the Part I of this piece for political gains (an article on disinformation becoming disinformation). So, let me offer some friendly advice to the fringe mob: get the f**k off my lawn! Infowar is a war of attrition: its only aim is the endless and cyclical degradation of the discourse. The trolls may win a street fight or two, but the nation loses.

Now, a comment on the approach I followed and why. After reading Part I, a self-proclaimed cyber journalist asked me, “But where are the graphs and the link diagrams?” Well, here’s the thing: those fancy data-driven visualisations explain the whats and the whos, not the whys. To read the actors’ minds, you need to go deep, not wide. And in any case, Twitter has already marked the data boundaries of the campaigns — I can’t outwit Twitter. It’s time to understand the motivation. Scott A. Terban’s advise comes handy: use a “single threaded data denial model as opposed to perhaps a more hybrid solution.”

Let’s come to the technical analysis. In the previous part, we focused on the propaganda factory hindkhabar.com or hindkhabar.in. I am surprised to see that the .com mirror is still operational, and it is only now that Twitter and Facebook took down the linked accounts and pages.

However, in this dataset, Twitter has made an effort to curb down on another factory: janpost.in. The SSL certificate history of this domain at RiskIQ tells me that janpost.in initially pointed to a subdomain of whatthebeep.in.

The portal whatthebeep.in offers an interesting insight into the content propagation strategy of the actor(s). I see that a lot of content is getting re-packaged as satire and humour. It is, in fact, evident from the new dataset that Twitter has taken down many parody accounts of politicians and journalists with an anti-establishment view. In a very subtle and coy sort of way, such seemingly harmless content may intermittently be weaponised into political propaganda.

As we came to know from Part I, a lot of such re-purposed content was legitimised by leading Indian politicians and journalists, leading to hundreds of thousands of social media impressions. I won’t go too deep into the impact this time, but here’s a good example: filmstar Akshay Kumar inadvertently re-tweeting a post from whatthbeep.in. Even in this case, the websites I will be listing gained major amplification by renowned influencers. Also note that Facebook’s takedown strategy is not as effective as that of Twitter — many pages are still live.

Since, technically, these are not covert projects but merely outfits which promote alternate narratives, the trail of attribution is quite clear. A little bit of passive DNS intelligence would tell you that the aforementioned portals are linked to Indian companies like iwrkmedia.com, yaminfotek.com, and five9digitalmedia.com. You will find many persons of interest there.

And since I am talking about persons of interest — unlike the last time when I wanted to respect their privacy — let me specifically profile two individuals.

Particularly aggrieved that his decade-old Facebook and Twitter accounts were suspended, Kararvi has since created an alternate handle @RazaviSayyid. His Instagram profile shows him hobnobbing with senior Shia clergy. Kararvi is also affiliated with the website husainiyouths.org.

Of course, none of what Kararvi does is illegal in India, but it’s the fine balance between frustration, alienation, and activism, and eventual radicalisation that may become difficult to maintain amidst the barrage of online propaganda.

In Part I, I had mentioned that the Iranian nexus had local content contributors but refrained from naming them. The second person of interest whose account was suspended in December is journalist Syed Hujjat Reza. But even way back in October, I had passed on his name to a contact at The Indian Express. Reza, as I found out, was once employed with hindkhabar.in, which was busted during the Twitter takedowns of August 2018. He feigned ignorance on the Iranian connection but the eventual suspension of his handle points to the obvious. This gentleman from Lucknow has actually worked with mainstream publications like The Pioneer and The Hindustan Times.

Edit, February 16, 2019: I want to flag another individual. Rahil Abbas Ajani‘s LinkedIn profile mentioned that he had earlier worked for the disinformation outlet hinkhabar.in. I had also forwarded Ajani’s credentials to my contact at The Indian Express. He denied any such involvement during a telephonic interview. But I see that he’s following Kararvi’s new Twitter handle, and that he’s currently employed with the suspicious news company five9digitalmedia.com.

The Shia population of India is close to 45 million. At this point, I would like to add that during the course of this investigation, I stumbled upon the profiles of many young Shia Muslims. A lay person may find it difficult to understand this affinity towards Iran, but it’s the natural outcome of a shared identity and heritage that spans history, geography and culture. I am just saying that the security agencies are advised to tread this path a little sensitively. Because, while analysing another disinformation page on Facebook, I stumbled upon the pictures of many Shia youngsters draped in the Indian tricolour. Things are not as black-and-white as they seem:

Another handle which was brought down by Twitter offers a peek into the motivation of the actors affiliated with Iran. Borrowing from the playbook of the Russians, I earlier suspected it to be a coordinated influence operation with specific, actionable objectives. But the Iranian planet-scale campaign is actually a grassroots machinery of ‘soft war’ — an effort to consolidate the global Shia community, bring some cohesion into its ideology, and tap into its sentiments for political purposes. The Twitter handle of the ‘Soft War Team’ was suspended but its Facebook page remains operational.

The term “soft war” has been popularised by the Leader of the Islamic Revolution Ayatollah Seyyed Ali Khomeini — who broadly defines it as sustained Western propaganda to vilify and undermine the Iranian theocratic state. Probably via grassroots Shia groups, the term has now been re-purposed and moulded into a strategy of information warfare against those very Western interests.

Roughly translates to: “In this era of soft war, the young students are the foot soldiers manning this new frontier.”

I made a big breakthrough while investigating a domain linked to a suspended Twitter account allegedly operating from Lucknow. Its official URL pointed to wilayat.in, which was registered in 2015 by [email protected] A quick search revealed that the owner of [email protected] operated many other websites from Iran, and his credentials are listed at many places as:

This is probably the first case of direct attribution of the global operation to an arm of the Iranian state.

I have also extracted the domain names found in the content of the tweets of the banned accounts. There are dozens of more disinformation portals (a detailed list is pasted in below).

So, what’s my parting advice? Don’t mess with the diversity and pluralism of India — it backfires. As I wrote in a recent op-ed:

For India, a lesson from the former deputy director, National Security Agency, Chris Inglis, holds true, “Diversity beats audacity.” Like the Himalayas, our pluralism offers a natural defence against foreign interference, something which should be fostered rather than tampered with.

Cyber geo-strategy does not exist as a formal discipline in India. This blog takes a shot at it.

It also curates Pukhraj's publications on cybersecurity spanning a decade. His bylines have appeared in The Indian Express, The Tribune, Deccan Herald, The Print, Huffington Post, BW BusinessWorld, The Quint, and Seminar.

Pukhraj was also recognised as a social activist while running Abroo, a now-defunct sociopolitical initiative for the Dalits of Punjab.